Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

(1)

Adjusting Prevention Policy Options Based on Prevention Events

Version 1.0

July 2006

(2)

1. Who should read this document

This document is intended for use by Symantec Critical System Protection policy administrators. The document discusses how to adjust prevention policies, based on prevention event details.

When reading this document, please note the following:

• To match a process set with the correct policy option, See Appendix A: Process set to policy options mapping.

• Rules protecting Symantec Critical System Protection resources cannot be overridden by policy options. See the Symantec Critical System Protection Prevention Policy Reference Guide for more information.

2. Where to get more information

For more information on events, see the Symantec Critical System Protection Administration Guide.

For more information on prevention policies, see the Symantec Critical System Protection Prevention Policy Reference Guide.

3. Verifying the operation of an agent computer

Once you apply a Symantec Critical System Protection prevention policy to an agent computer, you can verify the operation of the agent computer by viewing the events that were sent to the management server.

The Monitors page in the management console displays event information that was reported to the management server from your entire agent deployment.

To verify the operation of an agent computer, search the Monitors page for event messages from the agent computer. Messages with a severity of Warning indicate unexpected activity or problems that were already handled by Symantec Critical System Protection. If a message has an event type of file access, network access, OS call, or buffer overflow, then a severity of Warning indicates abnormal application behavior that was stopped.

Even if the prevention policy is not enforcing prevention (that is, the disable prevention option is set), improper access to resources by a service or application will generate log messages. With the disable prevention option set, the disposition field in a log message will indicate allow instead of deny, and the event severity will appear on the Monitors page in blue instead of red.

After investigating these warning messages, you may find that Symantec Critical System Protection prevented an attempt to attack the agent computer or that the events do not reflect a risk condition on the system. In the latter case, you may want to further configure the policy so that it does not produce these events in the future.

To verify the operation of an agent computer:

1. In the management console, click Prevention View.

2. In the management console, click Monitors.

3. On the Monitors page, in the event pane, select an event from the agent computer.

Details about the selected event are shown in the lower portion of the event pane.

(5)

4. About event details

Prevention events with a severity of Warning describe different policy violations. Understanding event details is the first step in finding the correct policy settings that eliminate an event.

4.1. About event types

Events are informative, notable, and critical activities that concern the Symantec Critical System Protection agent and management server. The agent logs events to the management server, and the management console lets you view summaries and details of those events.

Symantec Critical System Protection groups events by type. The event type specifies whether a process violated a policy by an unauthorized attempt to access a file, registry key, network resource, or system call, or if a buffer overflow event was detected.

The following table lists the Symantec Critical System Protection prevention event types.

Event type Description

File access These events contain information about applications that access files and directories.

Registry access These events contain information about applications that access registry keys.

Network access These events contain information about applications that access the TCP/IP network.

Buffer overflow These events contain information about applications that execute code that was inserted by using buffer overflows. Buffer overflow events apply to agent computers that run Windows operating system.

OS call These events contain information about applications that make selected operating system calls that are often exploited by attackers.

Mount These events contain information about applications that mount or unmount file systems.

Process

assignment These events contain information about the assignment of a process to a process set.

Process create These events contain information about the creation of a process.

Process destroy These events contain information about the termination of a process.

4.2. About event severity levels

Symantec Critical System Protection assigns a severity level to each event. The following table lists the Symantec Critical System Protection severity levels.

Severity level Description

Information These events contain information about normal system operation.

Notice This severity level is used for events of trivial violations when a prevention policy is configured to show these events. By default, these events are not produced by an agent.

(6)

Severity level Description

Warning These events indicate unexpected activity or problems that were already handled by Symantec Critical System Protection.

Warning messages might indicate that a service or application on an agent

computer is functioning improperly with the applied policy. After investigating the policy violations, you can configure the policy and allow the service or application to access to the specific resources if necessary.

Critical These events indicate activity or problems that might require administrator intervention to correct.

Error These events indicate detection policy internal errors. Error events are rare.

4.3. About file access events

File access events contain information about applications that access files and directories. File access event details include the following information:

• Event Severity – For policy violations, event severity is Warning.

• User Name – Name of the user who was the process owner at the time of the event.

• Policy Name – Name of the policy that was in effect at the time of the event.

• File Name – Full path of the protected file.

• Process – Full path of the process that attempted to access the file.

• Disposition – Indicates whether access was Allowed or Denied.

• Process Set – Process set to which the process was assigned at the time of the event. The process set is important for understanding which policy options are relevant for this event.

• Permissions Requested – Permissions (write, delete, etc.) requested by the process accessing the file.

4.4. About registry access events

Registry access events contain information about applications that access registry keys. Registry access event details include the following information:

• Registry key – Full path of the protected registry key.

• Process – Full path of the process that attempted to access the registry key.

• Disposition – Indicates whether access was Allowed or Denied

• Permissions Requested – Permissions (set_value, create_sub_key, etc.) requested by the process accessing the file.

4.5. About network access events

Network access events contain information about applications that access the TCP/IP network. Network access event details include the following information:

(7)

• Operation – Connect or Accept.

• Protocol – TCP or UDP.

• Local IP – IP address that was used by the local computer.

• Local Port – Local port number.

• Remote IP – IP address of the remote computer.

• Remote Port –Port number of the remote computer.

• Process – Full path of the process that attempted to access the network.

• Disposition – Indicates whether access was Allowed or Denied

4.6. About buffer overflow events

Buffer overflow events contain information about applications that execute code that was inserted by using buffer overflows. Buffer overflow events apply to agent computers that run Windows operating system.

Buffer overflow event details include the following information:

• Operation – Function that was called from injected code, intercepted by the Symantec Critical System Protection driver.

• Process – Full path of the process that attempted to execute code inserted by using buffer overflows.

• Disposition – Return value set by the Symantec Critical System Protection driver for the intercepted function. When prevention is turned on, the value is Denied, since the driver fails the function.

4.7. About OS call events

OS call events contain information about applications that make selected operating system calls that are often exploited by attackers. OS call event details include the following information:

• Operation – Protected OS function call (for example, link).

• Process – Full path of the process that attempted to make the operating system call.

• Disposition – Return value set by the Symantec Critical System Protection driver for the intercepted function.

(8)

5. Adjusting policies based on file and registry access events

This section explains how to adjust policy options based on file and registry access events.

See About file access events.

See About registry access events.

5.1. Scenario 1: Event is write denial and you want to make the resource writable

Resource protection rules originate from behavior control descriptions (BCDs) or policy options. Policy options supersede BCD rules, allowing you to adjust the policy. When relaxing policy protection for a resource, you should apply the change to a small group of programs, so that the resource remains protected from most of the running processes.

5.1.1. Making a resource writable for a process or process set

To make a file or registry key writable for a specific process or process set, first identify the process set name in the event. Then identify the policy option group that control this process set. Add (type or paste) the file path or registry key path to the writable resource list under the relevant option group.

For example, suppose the event is a file access event, and the process set is iis_ps. Enable Service Options

> Application Service Options > Internet Information Service > Advanced Options > Resource Lists >

Writable Resource Lists > Allow Modifications to these files. Add the file path to the Value box in the List of files that can be modified. If the process belongs to the default interactive programs or default services (daemons), then the resource list options let you limit the cases when the rule applies by specifying also the program path, program command-line arguments, user name and group name.

5.1.2. Making a resource writable at the group level

The Symantec Critical System Protection prevention policies refer to each process as either interactive or service (daemon). Interactive Program Options apply to the group of all interactive processes, while Service Options apply to the group of all service processes. You can make a file or registry key writable at the group level by adding it to the writable resource list of the relevant group (interactive program or service).

A program can be considered an interactive program and a service (daemon), depending on how the program was launched. The best way to identity whether a process belongs to the interactive or service group is by the process set name that appears in the event.

Sometimes a resource is denied access because of a resource list restriction set at the specific option level.

In this case, when adding the resource to the writable resource list at the group level, the resource remains protected at the specific level. To make the resource writable for the specific process set as well, remove the resource list restriction.

For example, suppose a registry key appears in the read-only list of IIS (Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Read-only Resource Lists > Block Modifications to these Registry keys > List of Registry keys that should not be modified). IIS is still denied write access to the registry key even if adding this registry key to the services writable resource list (Service Options > General Service Options > Resource Lists > Writable Resource Lists > Allow modifications to these Registry keys > List of Registry keys that can be modified).

5.1.3. Making a resource writable at the global level

You can make a resource writable to all processes by adding its path to the writable resource list at the global level (Global Policy Options > Resource Lists > Writable Resource Lists).

Sometimes a resource is denied access because of a resource list restriction set at the specific option level or at the group level (for example, for all interactive programs). In this case, when adding the resource to

(9)

the writable resource list at the global level, the resource remains protected at the more specific level. To make the resource writable for the specific process set, remove the resource list restriction from the specific resource list. To make the resource writable for the entire group, remove the resource list restriction from the group resource list.

For example, if a registry key appears in the read-only list (Service Options > General Service Options >

Resource Lists > Read-only Resource Lists > Block Modifications to these Registry keys > List of Registry keys that should not be modified), then all services would be denied write access to the registry key even after adding this registry key to the global writable resource list (Global Options > Resource Lists >

Writable Resource Lists > Allow modifications to these Registry keys > List of Registry keys that can be modified).

5.2. Scenario 2: Event is read denial and you want to set resource protection to read-only

Resource protection rules originate from BCDs or policy options. Policy options supersede BCD rules, allowing you to adjust the policy. When relaxing policy protection for a resource, you should apply the change to a small group of programs, so that the resource remains protected from most of the running processes.

5.2.1. Making a resource read-only for a specific process or process set

To make a file or registry key read-only for a specific process or process set, first identify the process set name in the event. Then identify the policy option group that controls this process set. Add (type or paste) the file path or registry key path to the read-only resource list under the relevant option group.

For example, if the event is a file access event, and the process set is iis_ps, then enable the option Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > Read-only Resource Lists > Block Modifications to these files. Then add the file path to the Value box in the List of files that should not be modified. If the process belongs to the default interactive programs or default services (daemons), then the resource list options let you limit the cases when the rule applies by specifying also the program path, program command-line arguments, user name and group name.

5.2.2. Making a resource read-only at the group level

You can make a file or registry key read-only at the group level by adding it to the read-only resource list of the relevant group (interactive program or service).

Sometimes a resource is denied access because of a resource list no-access restriction set at the specific option level. In this case, when adding the resource to the read-only resource list at the group level, the resource remains non-accessible at the specific level. To make the resource read-only for the specific process set as well, remove the resource list restriction.

For example, if a registry key appears in the no-access list of IIS (Service Options > Application Service Options > Internet Information Service > Advanced Options > Resource Lists > No-Access Resource Lists

> Block all access to these Registry keys > List of Registry keys that should not be accessed), then IIS is still denied all access to the registry key even if adding this registry key to the services read-only resource list (Service Options > General Service Options > Resource Lists > Read-only Resource Lists > Block modifications to these Registry keys > List of Registry keys that should not be modified).

5.2.3. Making a resource read-only at the global level

You can make a resource read-only to all processes by adding its path to the read-only resource list at the global level (Global Policy Options > Resource Lists > Read-only Resource Lists).

(10)

Sometimes a resource is denied access because of a resource list no-access restriction set at the specific option level or at the group level (for example, for all interactive programs). In this case, when adding the resource to the read-only resource list at the global level, the resource remains non-accessible at the more specific level. To make the resource read-only for the specific process set, remove the resource list no- access restriction from the specific resource list. To make the resource read-only for the entire group, remove the resource list no-access restriction from the group resource list.

For example, if a registry key appears in the no-access list (Service Options > General Service Options >

Resource Lists > No-Access Resource Lists > Block all access to these Registry keys > List of Registry keys that should not be accessed), then all services are denied all access to the registry key even after adding this registry key to the global read-only resource list (Global Options > Resource Lists > Read-only Resource Lists > Block modifications to these Registry keys > List of Registry keys that should not be modified).

5.3. Scenario 3: Event is a denial and you want the denial to be silent

Sometimes a valid program may attempt to access a protected resource. You may want the resource to remain protected. This scenario is more likely to happen with default services or default interactive programs, because they do not have tailored BCDs. Policy options for default services and default

interactive programs provide the means to silent these events. Silent means that these events are considered trivial and therefore are only generated by an agent if option to enable logging of trivial policy violations is enabled.

To silent an event for a default service or a default interactive program, first identify the process set and the permission requested attribute in the event. Then set the correct option under Service Options > Default Service Options > Resource Lists” or Interactive Program Options > Default Interactive Program Options>

Resource Lists.

For example, to silent a file read access event by an interactive program, enable Interactive Program Options > Default Interactive Program Options> Resource Lists > Read-only Resource Lists > Block and log all access to these files as trivial. Then add the program and file details in the List of files that should not be accessed.

Note: Adding the program path is optional but recommended. If you do not add the program path, then the event will be silent for all default programs in the group (for example, to all the default interactive

programs).

5.4. Scenario 4: Different access denial events for a specific process 5.4.1. The program has no privileges

A program may be denied access to resources because the program runs under a process set that has no privileges. The prevention policies assign programs to a non-privileged process set as a mean of denying it from running or accessing any resource. This can happen if the program was explicitly specified as one that should not run or when the sequence that created the program did not seem normal. The non-privileged process set names are as follows:

• int_nopriv_ps

• svc_nopriv_ps

• int_mailchild_unsafe_ps

To determine if a program was denied access to a resource due to being in a non-privileged process set, compare the process set name from the event with one of these process sets. If you need the program to run, then the first step should be to understand why the program was sent to the non-privileged process set.

Reasons for a program to be in svc_nopriv_ps (Windows)

The prevention policies list several programs as programs that should not be launched by services. These programs, which are usually not started by services under normal operation, can pose a risk to the system if

(11)

launched by malicious software. This list of programs is defined under Service Options > General Service Options > Additional Parameter Settings > Disable service execution of specific programs. Identify the program name as it appears in the Process attribute in the event.

If this program path also appears in the list specified above, then this configuration denies the program from gaining any privilege when begin launched from a service. To allow this program to be launched by services, you can specify conditions under which the program can run. The conditions are details on the program command-line arguments, user, and group. You can add these details in the exception list (Service Options > General Service Options > Additional Parameter Settings > Allow services to run these programs if using specific arguments > Exception List). Removing the program from the list of restricted programs is not recommended.

Reasons for a program to be in int_mailchild_unsafe_ps (Windows)

The prevention policies have an option for controlling which applications can be launched by Outlook and Outlook Express to open e-mail attachments. If the option Interactive Program Options > Specific

Interactive Program Options > Outlook & Outlook Express > Basic Options > Disable opening of email attachments is enabled, then programs launched for opening e-mail attachments are routed to the

int_mailchild_unsafe_ps process set. To specify exceptions to this rule, enable Interactive Program Options

> Specific Interactive Program Options > Outlook & Outlook Express > Basic Options > Enable opening of specific email attachments, and specify the program details under The list of email attachment programs allowed to execute.

Reasons for a program to be in int_nopriv_ps (All platforms)

If a program is routed to the int_nopriv_ps process set, it is usually because the prevention policy does not expect the parent process to launch this program. If you are sure you want to allow the program to be launched, enable one of the options under “Interactive Program Options > General Interactive Program Options > Alternate Privilege Lists, depending on the privilege that you want the program to have. For example, to give the program standard privileges, put the program details in Interactive Program Options >

General Interactive Program Options > Alternate Privilege Lists > Specify Interactive Programs with Standard privileges > List of Interactive Programs with Standard privileges.

5.4.2. The Program tries to create or modify an executable file

The Windows prevention policies have options for restricting write access to executable files. This prevents unauthorized software installation on the protected system. The list of file name extensions considered to be executables can be found in the policy option Global Policy Options > Additional Parameter Settings >

Enable control of modifications to executable files > List of executable file extensions. The option Block modifications to executable files under specific process set option groups determines if restrictions apply for writing executables for this process set. It is usually not recommended to disable these options, because that would allow arbitrary programs write executables on the disk. Alternatively, you can use the writable resource list to allow write access. When using the writable resource list, you should be as specific as possible about the program using the resource and the resource name.

5.4.3. The Program tries to modify a startup folder

The Windows prevention policy has options for restricting write access to files under the startup folder.

This prevents unauthorized launching of software as the system starts up. The option Block modifications to Startup folders, under a specific process set option group, determines if restrictions apply for writing to startup folders by this process set. It is usually not recommended to disable these options, because this technique is known to be used by malicious software to start itself after system restart. Alternatively, use the writable resource list to allow write access. When using the writable resource list, you should be as specific as possible about the program using the resource and the resource name.

(12)

5.4.4. The program requires access to a specific resource set

Sometimes a program that requires access to a set of resources is denied access by the out-of-the-box prevention policies. While the prevention policies provide per-process resource control for default programs, you should use the int_custompriv_ps process set if there are more than a few resources or if more than one program requires the custom rules. Policy options let you assign a selected program to this custom process set in order to define rules for it that do not apply to all the default programs. By doing this, you can allow programs assigned to the custom process set accessing resources that are not accessible to other programs.

To assign a program to the int_custompriv_ps, insert the program detail in Interactive Program Options >

Custom Interactive Program Options > Specify Interactive Programs with Custom privileges > List of Custom Interactive Programs.

5.4.5. The program requires wide access to resources

If a critical program generates policy violation events for many resources, and you want to allow the program accessing all the denied resources, you may want to consider elevating the privilege level for this program. If the program already has a BCD, then you can change the privilege level for this program using the specific Alternate Privilege Options group.

For example, to give the DNS Server safe privileges, enable Service Options > Core OS Service Options >

DNS Server > Advanced Options > Alternate Privilege Level > Run with Safe Service Privileges.

Sometimes a program does not have a specific BCD. An example for this scenario might be Anti-Virus software that is not recognized by the out-of-the-box prevention policies. Policy options allow you to add security software to an already pre-defined Host Security process set. This is set using Global Options >

Host Security Programs > Basic Options > Additional Host Security Programs Installed. Add the path to your security programs, in the Value box, in List of other Host Security Programs.

If the program does not have a BCD, and it is not a security program, you can give it safe or full privileges using the Alternate Privilege Level option, under the general group options. To give alternate privilege level to a service, enable Service Options > General Service Options > Alternate Privilege Lists. To specify an interactive program with safe or full privilege, use Interactive Program Options > General interactive Programs > Alternate Privilege Lists.

6. Adjusting policies based on network access events

This section explains how to adjust policy options based on network access events.

See About network access events.

6.1. Scenario 1: Accept is denied and you want to allow inbound network connections

Network access rules in the prevention policies are combined from BCD internal rules, remote IP addresses specified in the Remote Network Access Options, and port numbers specified via the resource list options.

When allowing remote network connections, it is usually advised to retain maximum security by applying the change to a small number of programs and opening the connection only with the required IP addresses.

6.1.1. Allowing a specific process set to accept network connections

To allow inbound connection for a specific process set:

1. Identify the relevant option group.

(13)

2. Configure the policy to allow inbound connections from specified IP addresses or from all IP addresses as required.

3. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port.

To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that control this process set.

To configure the policy to allow inbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make inbound connections under the relevant option group. For example, if the event is for process set is dns_ps, then enable Service Options > Application Service Options > DNS Server >

Advanced Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connections from these addresses, and add the IP addresses in List of addresses that can make inbound connections to this system, under this option. To allow inbound network access from all addresses, enable Allow inbound network connections from all addresses instead.

To configure the policy to allow accepting inbound network connection on a specific port and protocol, identify the protocol and port number from the event. Then use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the process set is svc_stdpriv_ps, and the protocol is TCP, then enable Service Options > Default Service options > Resource Lists > Permit listening for TCP requests, and add the port number, in the Value box, in the List of TCP ports to permit listening on.

6.1.2. Allowing all interactive programs or all services to accept network connections

To allow inbound network connections to all the interactive programs or all the services:

2. Configure the policy to allow inbound connections from specified IP addresses. At this stage inbound connection is still restricted to allowed ports only.

3. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port.

To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that controls the group of processes for this process set.

To configure the policy to allow inbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make inbound connections under the relevant option group. For example, if the event is for process set is dns_ps, and you want to allow inbound network connection to all the services, then enable Service Options > General Service Options > Remote Network Access Options > Prevent inbound network connections > Allow inbound network connections from these addresses, and add the IP addresses in List of addresses that can make inbound connections to this system.

There is usually no gain in setting the port configuration at the group level, because only one program should listen on a given port. To configure the policy to allow a specific process or process set accepting inbound network connection on a specific port and protocol, see Allowing a specific process set to accept network connections. To set the port in the group level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the group is Interactive Programs, and the protocol is TCP, then enable Interactive Program Options > Resource Lists > Network Permit List > Permit listening for TCP requests, and add the port number, in the Value box, in the “List of TCP ports to permit listening on.

(14)

Note: If the policy is configured to deny inbound network access at the specific level, then inbound network connection at the specific level is denied even when it is allowed at the group level. For example, if you deny network access to the DNS server by enabling Service Options > Core OS Service Options >

DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network

connections, and disabling Service Options > Core OS Service Options > DNS Server > Advanced Options

> Remote Network Access Options > Prevent Inbound network connections > Allow inbound network connections from these addresses, then inbound connection to the DNS server would be denied regardless of the settings at the Service Options > General Service Options option group.

6.1.3. Allowing all programs to accept network connection

To allow inbound network connections to all programs:

1. Configure the policy to allow inbound connections from specified IP addresses. At this stage inbound connection is still restricted to allowed ports only.

2. Configure the policy to allow accepting connections on a specific port and protocol. This is typically not required if the service is confined by a specific process set and accepts connection on a well-known port

To configure the policy to allow inbound connections for specific IPs, enable Global Policy Options >

Remote Network Access Options > Prevent inbound network connections > Allow inbound network connection from these addresses, and add the IP addresses to List of addresses that can make inbound connections to this system.

There is usually no gain in setting the port configuration at the global level, because only one program should listen on a given port. To configure the policy to allow a specific process or process set accepting inbound network connection on a specific port and protocol, refer to the discussion on allowing interactive programs or services to accept network connections.

To set the port in the global level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the protocol is TCP, then enable Global Policy Options > Resource Lists > Network Permit List > Permit listening for TCP requests, and add the port number in the Value box for the List of TCP ports to permit listening on.

Note: If the policy is configured to deny inbound network access at the specific level (or the group level), then inbound network connection at the specific level (or group level) is denied even when it is allowed at the global level. For example, if you deny network access to the DNS server by enabling Service Options >

Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent Inbound network connections, and disabling Service Options > Core OS Service Options > DNS Server >

Advanced Options > Remote Network Access Options > Prevent Inbound network connections > Allow inbound network connections from these addresses, then inbound connection to the DNS server would be denied regardless of the settings at the Global Policy Options > Remote Network Access Options.

6.2. Scenario2: Event is a connect denial and you want to allow the connect operation

Network access rules in the prevention policies are combined from BCD internal rules, remote IP addresses specified in the Remote Network Access Options, and port numbers specified via the resource list options.

When allowing remote network connections, you should retain maximum security by applying the change to a small number of programs, and opening the connection only with the required IP addresses.

6.2.1. Allowing a specific process set to make outbound network connections

To allow outbound connection for a specific process set:

(15)

2. Configure the policy to allow outbound connections to specified IP addresses or to all IP addresses, as required.

3. Configure the policy to allow outbound connections on a specific port and protocol.

To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that control this process set.

To configure the policy to allow outbound connections for specific IPs, add the IP addresses to the list of remote IPs that can make outbound connections under the relevant option group. For example, if the event is for process set is dns_ps, then enable Service Options > Application Service Options > DNS Server >

Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, and add the IP addresses in the List of addresses to which this system can make outbound network connections. To allow outbound network connections to all addresses, enable Allow outbound network connections to all addresses instead.

To configure the policy to allow outbound network connection on a specific port and protocol, identify the protocol and port number from the event. Then use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the process set is svc_stdpriv_ps, and the protocol is TCP, then enable Service Options > Default Service options > Resource Lists > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to.

6.2.2. Allowing all interactive programs or all services to make outbound network connections

To allow all interactive programs or all services to make outbound network connections:

1. Identify the relevant option group (interactive programs or services).

2. Configure the policy to allow outbound connections to specified IP addresses. At this stage, outbound connection is still restricted to allowed remote ports only.

3. Configure the policy to allow making outbound connections on a specific protocol and remote port.

To identify the relevant option group, first identify the process set name in the event. Then identify the policy option group that controls the group of processes for this process set.

To configure the policy to allow outbound connections to specific IPs, add the IP addresses to the list of IPs to which the local system can connect, under the relevant option group. For example, if the event is for process set is svc_stdpriv_ps, and you want to allow outbound network connection to all the services, then enable Service Options > General Service Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, and add the IP addresses in List of addresses to which this system can make network connections.

To set the port in the group level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the group is interactive programs, and the protocol is TCP, then enable Interactive Program Options > Resource Lists > Network Permit List > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to.

Note: If the policy is configured to deny outbound network access at the specific level, then outbound network connection at the specific level is denied even when it is allowed at the group level. For example, if you deny the DNS server to make outbound connections by enabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections, and disabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, then outbound connection would be denied for the DNS server regardless of the settings at the Service Options > General Service Options option group.

(16)

6.2.3. Allowing all programs to make outbound network connections

To allow outbound network connections to all programs:

1. Configure the policy to allow outbound connections to specified IP. At this stage outbound connection is still restricted to allowed remote ports only.

2. Configure the policy to allow making outbound connections on a specific protocol and remote port.

To configure the policy to allow outbound connections for specific IPs, enable Global Policy Options >

Remote Network Access Options > Prevent outbound network connections > Allow outbound network connection to these addresses, and add the IP addresses to List of addresses to which this system can make outbound network connections.

To set the port in the global level, use the Network Permit lists to add the port number in the permit list of the required protocol. For example, if the protocol is TCP, then enable Global Policy Options > Resource Lists > Network Permit List > Permit sending TCP requests, and add the port number in the Value box in the List of TCP ports to permit sending to.

Note: If the policy is configured to deny outbound network connections at the specific level (or the group level), then outbound network connection at the specific level (or group level) is denied even when it is allowed at the global level. For example, if you deny the DNS server to make outbound connections by enabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections, and disabling Service Options > Core OS Service Options > DNS Server > Advanced Options > Remote Network Access Options > Prevent outbound network connections > Allow outbound network connections to these addresses, then DNS server would be denied outbound connections regardless of the settings at the Global Policy Options > Remote Network Access Options option group.

7. Adjusting policies based on buffer overflow events

This section explains how to adjust policy options based on buffer overflow events.

See About buffer overflow events.

7.1. Scenario 1: Buffer Overflow detected and you want to stop Buffer Overflow detection for a specific process or process set

Programs confined using a specific process set have options for buffer overflow detection. For example, to disable buffer overflow detection for the DNS server, disable Service Options > Core OS Service Options >

DNS Server > Advanced Options > Enable Buffer Overflow Detection.

To disable buffer overflow for a service that does not have a specific process set (default service), enable Service Options > Default Service Options > Enable Buffer Overflow Detection for Services with Standard privileges > Disable Buffer Overflow Detection for these Services with Standard Privileges, and add the program information in List of Standard Privilege Services that will have Buffer Overflow detection turned OFF. If the service is configured to run in safe privilege, then use Service Options > Default Service Options > Enable Buffer Overflow Detection for Services with Safe privileges > Disable Buffer Overflow Detection for these Services with Safe Privileges.

To disable buffer overflow for an interactive program that does not have a specific process set (default interactive program), enable Interactive Program Options > Default Interactive Program Options > Enable Buffer Overflow Detection for Interactive Programs with Standard privileges > Disable Buffer Overflow Detection for these Interactive Programs with Standard Privileges, and add the program information in the List of Standard Privilege Interactive Programs that will have Buffer Overflow detection turned OFF. If the interactive program is configured to run in safe privilege, then use Interactive Program Options > Default Interactive Program Options > Enable Buffer Overflow Detection for Interactive Programs with Safe privileges > Disable Buffer Overflow Detection for these Interactive Programs with Safe Privileges.

(17)

8. Adjusting policies based on OS call events

This section explains how to adjust policy options based on OS call events.

See About OS call events.

8.1. Scenario 1: OS Call was denied and you want to allow this OS call to a specific process set

Disabling OS call protection using policy options is only supported for non-specific process sets. On Windows platforms, the following non-specific process sets are supported:

• svc_fullpriv_ps

• int_fullpriv_ps

• svc_safepriv_ps

• int_safepriv_ps

• svc_stdpriv_ps

• int_stdpriv_ps

On Solaris and Linux platforms, the following non-specific process sets are supported:

• daemon_fullpriv_ps

• int_fullpriv_ps

• daemon_safepriv_ps

• int_safepriv_ps

• daemon_stdpriv_ps

• int_stdpriv_ps.

Note: An exception to this rule is hsecurity_ps on Windows. To see if you can disable OS call protection for the program, check for the process set in the event. Use the process set and operation to identify the policy option that controls this OS call for this process set. For example, if the operation is link, and the process set is svc_safepriv_ps (Windows), then enable Service Options > Default Service Options >

SysCall Options > Allow creation of hardlinks.

(18)

9. Appendix A: Process set to policy options mapping 9.1. Windows prevention policies

The following table lists the process set to policy options mapping for the Symantec Critical System Protection Windows prevention policies. The table is arranged alphabetically by process set name.

Process Set name Group Option Path

dfssvc_ps Services

Service Options > Core OS Service Options>

Distributed File System

dns_ps Services

Service Options > Core OS Service Options >

DNS Server

exchange_ps Services

Service Options > General Service Options >

Application Service Options > Microsoft Exchange Server

hsecurity_ps Global Global Policy Options > Host Security Programs iexplore_ps Interactive Programs

Interactive Program Options > Specific

Interactive Program Options > Internet Explorer

iis_ps Services

Service Options > Application Service Options >

Internet Information Services int_fullpriv_ps Interactive Programs

Interactive Program Options > Full Interactive Program Options

int_custompriv_ps Interactive Programs

Interactive Program Options > Custom Interactive Program Options

int_mailchild_noservers_ps Interactive Programs

Interactive Program Options > Specific Interactive Program Options > Outlook &

Outlook Express

int_mailchild_ps Interactive Programs

Outlook Express

int_mailchild_unsafe_ps Interactive Programs

Outlook Express int_safepriv_ps Interactive Programs

Interactive Program Options > Safe Interactive Program Options

int_stdpriv_noservers_ps Interactive Programs

Interactive Program Options > Default Interactive Program Options

int_stdpriv_ps Interactive Programs

kernel_ps Global Global Policy Options > Kernel Driver Options

llssrv_ps Services

License Logging Service

msdtc_ps Services

Distributed Transaction Coordinator

(19)

Process Set name Group Option Path msoffice_ps Interactive Programs

Interactive Program Options > Microsoft Office

mssqlsrv_ps Services

Service Options > Application Service Option >

Microsoft SQL Server

mstask_ps Services

Task Scheduler Service

Ntfrs_ps Services

File Replication Service

outlook_ps Interactive Programs

Outlook Express

regsvc_ps Services

Remote Registry Service

remote_file_ps Global

Global Policy Options > Remote File Access Options

rpcss_ps Services

Remote Procedure Call (RPC)

Scm_ps Services

Service Control Manager

scspagent_ps Services

Service Options > General Service Options >

Core OS Service Options > Symantec Critical System Protection Agent Service

scspconsole_ps Interactive Programs

Interactive Program Options > Symantec Critical System Protection UI Programs

scspserver_ps Services

Symantec Critical System Protection Management Service

snmp_ps Services

SNMP Service

spoolsv_ps Services

Print Spooler

spoolsv_child_ps Services

Print Spooler

svc_custompriv_ps Services Service Options > Custom Service Options svc_fullpriv_ps Services Service Options > Full Service Options svc_safepriv_ps Services Service Options > Safe Service Options svc_stdpriv_ps Services Service Options > Default Service Options

system_ps Services

Startup Processes

tapisrv_ps Services

Telephony

tcpsvcs_ps Services

Simple TCP/IP Services

(20)

Process Set name Group Option Path

termsrv_ps Services

Terminal Services

winmgmt_ps Services

Windows Management Instrumentation

Wins_ps Services

Windows Internet Name Service (WINS)

9.2. Linux prevention policy

The following table lists the process set to policy options mapping for the Symantec Critical System Protection Linux prevention policy. The table is arranged alphabetically by process set name.

Process Set name Group Option Path

remote_file_ps Global Global Policy Options > NFS Server Access Options

apache_ps Daemons

Daemon Options > Application Daemon Options >

Apache Web Server

mail_ps Daemons

Daemon Options > Application Daemon Options > Mail System

scspagent_ps Daemons

Daemon Options > Core OS Daemon Options >

Symantec Critical System Protection Agent daemon

bind_ps Daemons

Daemon Options > Core OS Daemon Options > Bind daemon

crond_ps Daemons

Daemon Options > Core OS Daemon Options > Cron daemon

ftpd_ps Daemons

Daemon Options > Core OS Daemon Options > FTP daemon

inetd_ps Daemons

Daemon Options > Core OS Daemon Options > Internet Services daemon

print_ps Daemons

Daemon Options > Core OS Daemon Options > Print System

rservices_ps Daemons

Daemon Options > Core OS Daemon Options > Remote login services

rpc_ps Daemons

Daemon Options > Core OS Daemon Options > RPC port mapper

syslog_ps Daemons

Daemon Options > Core OS Daemon Options > System Logging daemons

tftpd_ps Daemons

Daemon Options > Core OS Daemon Options > TFTP daemon

daemon_stdpriv_ps Daemons Daemon Options > Default Daemon Options int_gateway_ps Daemons Daemon Options > Default Daemon Options

rootpriv_ps Interactive Programs Interactive Program Options > Root Program Options int_stdpriv_ps Interactive Programs

(21)

9.3. Solaris prevention policy

The following table lists the process set to policy options mapping for the Symantec Critical System Protection Solaris prevention policy. The table is arranged alphabetically by process set name.

Process Set name Group Option Path

apache_ps Daemons

Apache Web Server

bind_ps Daemons

Daemon Options > Core OS Daemon Options > Bind daemon

crond_ps Daemons

Daemon Options > Core OS Daemon Options > crond daemon

daemon_stdpriv_ps Daemons Daemon Options > Default Daemon Options

ftpd_ps Daemons

Daemon Options > Core OS Daemon Options > FTP daemon

inetd_ps Daemons

Daemon Options > Core OS Daemon Options > inet daemon

int_stdpriv_ps interactive Programs

lpd_ps Daemons

Daemon Options > Core OS Daemon Options > Line printer daemon

remote_file_ps Global Global Policy Options > NFS Server Access Options rootpriv_ps interactive Programs Interactive Program Options > Root Program Options

rpcd_ps Daemons

Daemon Options > Core OS Daemon Options > RPC port mapper

rservices_ps Daemons

Daemon Options > Core OS Daemon Options > Remote login services

scspagent_ps Daemons

Daemon Options > Core OS Daemon Options >

Symantec Critical System Protection Agent daemon

sendmail_ps Daemons

Sendmail

syslogd_ps Daemons

Daemon Options > Core OS Daemon Options > syslog daemon

tftpd_ps Daemons

Daemon Options > Core OS Daemon Options > TFTP daemon

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006